Android App Siphons Data on 200 Million Users

A popular Android keyboard application with over 200 million downloads was found gathering user information sending the data a remote server, Adguard reveals.

The offending application, GO Keyboard, has two versions available in Google Play, namely GO Keyboard – Emoji keyboard, Swipe input, GIFs and GO Keyboard – Emoticon keyboard, Free Theme, GIF, each with over 100 million downloads to date.

The keyboard is developed by Chinese firm GOMO, which has numerous applications in the mobile app store, under two developer accounts, namely GOMO Dev Team and GOMO Apps.

According to Adguard security researchers, the applications were designed to siphon a large amount of user data, including Google account emails, device language, IMSI, location, network type, screen size, Android version and build, and device model.

The data is gathered and sent to a remote server without explicit user consent, the researchers reveal. Furthermore, the practice also contradicts the application’s privacy policy, which claims that the software will never collect user personal information.

On top of that, the researchers also discovered that, shortly after installation, both applications would download and execute code from a remote server. Among the downloaded plugins, the researchers discovered some that have been marked as adware or potentially unwanted programs.

Because of this behavior, the applications are considered malicious in nature, the researchers say. They clearly violate the Google Play content policies, which state that apps are prohibited from stealing a user’s authentication information, as well as from downloading executable code from a source other than Google Play.

Another worrying aspect is that, because these applications are keyboards, everything that the user enters on the phone goes through them. The apps also communicate with dozens of third-party trackers and ad networks, in addition to getting access to sensitive data such as users’ identity, phone calls log, contacts, and microphone.

“Given the apps’ extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants,” Andrey Meshkov, Co-founder, Adguard, points out.

The security researchers have reported their findings to Google but it appears that the company hasn’t taken a decision yet and that both GO Keyboard versions continue to be available in Google Play.

“Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation,” Meshkov concludes.

Related: Information-Collecting Android Keyboard Tops 50 Million Installs

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

Related: Hundreds of Fake Android Antivirus Apps Deliver Malware